2. How and where to deploy

The Linksys BEFSR41, BEFW11, WRT54G and their siblings are designed
to be used as gateway boxes on a home Ethernet. Typically, you'll hook one
up to a DSL or cable modem, which will automatically switch into bridge
mode and simply pass packets between your ISP's router and the Linksys box.

If you want to use a general-purpose PC running Linux as a firewall,
have fun — but these little boxes are more efficient. The nicest
thing about them is that they run out of firmware and, assuming you take
the elementary precautions we describe, are too stupid to be cracked.
Also, they don't generate fan noise or heat. Finally, they run Linux
inside and can be customized and hacked in useful ways.

Linksys boxes used to have a good reputation for reliability.
Something bad happened to their quality control after Cisco acquired the
company in March 2003; I had two go silently dead on me in less than a
year, and I heard grumbling from others about similar problems.
Unfortunately when I tried other low-end brands (Belkin, Buffalo) they
proved to have gross design errors. The Belkin had brain-damage in its
firewall rules that interfered with local SMTP, and the Buffalo
intermittently refused connections for no apparent reason. So I went back
with Linksys, hoping my WRT54G wouldn't turn into a doorstop within a couple
of months. As of mid-2006, I've been OK for about 24 months.

(Building one of these puppies is not rocket science. I can only
conjecture that the competitive pressure is driving the manufacturers to cut
costs to the bone by hiring programmers out of the bottom of the barrel
and having the manufacturing done by some low-end contract house
in Indonesia or somewhere. The results, alas, tend to be unstable
crap. Caveat emptor.)

Note another consequence of the Cisco acquisition: Linksys is now
what marketers call a flank guard, a low-end brand designed to protect the
margins and brand image of Cisco's commercial-grade networking products.
This means that Linksys boxes are no longer acquiring new firmware
features, and some old ones like stateful packet inspection almost
certainly won't be coming back. Provided you can live within these limits,
this is actually good; simpler firmware is more stable firmware. And, in
any case, the open-source replacement firnwares can give you back the
features abd complexity if you want them.

At minimum, a live Linksys box will do the following things for
you:

Act as an Ethernet router. You can
plug all your lines and hubs and hosts into it to exchange packets even
when your outside link is down.

Act as a smart gateway. When you
configure the Linksys with a public static IP address (or tell it to grab a
dynamic IP address from your ISP at startup time), it will gateway between
hosts on your private network and the Internet, performing all the IP
masquerading and address translation required to route your traffic.

Firewall your connection. You can
tell it to block out all but the minimum sevice channels you need. You can
specify separately, for each service, to which of your internal machines
the traffic should be routed.

I give my Linksys box the standard private-network gateway
address, 192.168.1.1. I then give all my boxes 192.168.1.x addresses
and tell them the Linksys is their gateway. Everything works.